Last Call Review of draft-ietf-lamps-cert-binding-for-multi-auth-05
review-ietf-lamps-cert-binding-for-multi-auth-05-secdir-lc-kelly-2024-07-21-00
Request | Review of | draft-ietf-lamps-cert-binding-for-multi-auth |
---|---|---|
Requested revision | No specific revision (document currently at 05) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2024-05-16 | |
Requested | 2024-05-02 | |
Authors | Alison Becker , Rebecca Guthrie , Michael J. Jenkins | |
I-D last updated | 2024-07-21 | |
Completed reviews |
Artart Last Call review of -05
by Robert Sparks
Secdir Last Call review of -05 by Scott G. Kelly |
|
Assignment | Reviewer | Scott G. Kelly |
State | Completed | |
Request | Last Call review on draft-ietf-lamps-cert-binding-for-multi-auth by Security Area Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/secdir/ykN6q6ZnzQWYaPOXkLUk8F72xQg | |
Reviewed revision | 05 | |
Result | Ready | |
Completed | 2024-07-21 |
review-ietf-lamps-cert-binding-for-multi-auth-05-secdir-lc-kelly-2024-07-21-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is ready. This review is more than a month late, so I hope it is still useful. From the abstract, This document defines a new CSR attribute, relatedCertRequest, and a new X.509 certificate extension, RelatedCertificate. The use of the relatedCertRequest attribute in a CSR and the inclusion of the RelatedCertificate extension in the resulting certificate together provide additional assurance that two certificates each belong to the same end entity. The document describes an example use case illustrating migration from classic cert to a PQ certificate. The security considerations section calls out the security considerations of RFC 5280, and also discusses the potential for downgrade attacks and risks relating to retrieval of the related cert. I see no additional security considerations, and think the document is ready from a security perspective.